The conversation is becoming more commonplace about whether companies should pay in a ransomware attack. Unfortunately, these crippling cyber-assaults are taking place too frequently across the globe, with targets and outcomes getting more consequential and more threatening for our workforce and communities.
Cyber-criminals and other nefarious actors are hitting all levels of industry both large and small across the world that have a direct impact on essential needs including fuel, healthcare, public utilities, and agricultural supply chains. In recent months we’ve seen the impact on agriculture via an attack on an Australian meat processor, the impact on healthcare due to an attack on five hospitals in the New Zealand district of Waikato which caused major disruption to IT systems, and the Colonial Pipeline attack in the US which threatened the country’s fuel distribution network.
In a vacuum, the guidance not to pay makes total sense. We don’t want to negotiate with criminals. But when you need to get your business back online, a cost/benefit analysis is going to come into play, and a company is going to do what it needs to do to have continuity. Good cyber-hygiene and open discussions on possible threats and mitigation has to be a focus to avoid getting to this point.
Globally, we must learn from each other. The catastrophic attacks experienced by organisations in all corners of the globe in the last month alone instigates the necessity for IT professionals to ensure preparedness for ransomware attacks is on top of their agenda.
The Colonial Pipeline attack sparked a major response from leaders and authorities across the globe. In the days following this attack, an intensive survey was conducted by global IT professional association ISACA, to discover how IT professionals feel about negotiating with cyber-criminals.
The insights certainly validate my own views including:
- Only 22% say a critical infrastructure organisation should pay the ransom if attacked.
- 84% of respondents believe ransomware attacks will become more prevalent in the second half of 2021.
- Four out of five survey respondents say they do not think their organisation would pay the ransom if a ransomware attack hit their organisation.
Among the survey’s other findings:
- 85% of respondents say they think their organisation is at least somewhat prepared for a ransomware attack, but just 32% say their organisation is highly prepared.
- Four in five respondents say their organisation is more prepared for ransomware incidents now than four years ago.
- Two-thirds of respondents expect their organisation to take new precautions in the aftermath of the Colonial Pipeline incident.
- Nearly half of respondents (46%) consider ransomware to be the cyberthreat most likely to impact their organisation in the next 12 months.
- Despite the clear risks from ransomware attacks, 38% of respondents say their company has not conducted any ransomware training for their staff.
I’m extremely encouraged by the fact that more than 80% of organisations are more prepared for ransomware incidents now than they were four years ago and that so many will be taking new precautions after Colonial Pipeline. Open reporting of cyberattacks appears to be working, and in this transparency, we can expect to see newer threats mitigated earlier with faster response times. Also, being prepared and conducting table-top exercises with the right stakeholders and responsible parties can help prevent reactionary responses and instead create a pro-active posture for cybersecurity programs within organisations.
In addition, knowing your responses, RTO and RPO, and risk appetite, will not only help in preparing for a ransomware event, but also in understanding what your enterprise’s threshold is in the decision-making process for considering whether to pay the nefarious actors to get your business back up and running. This decision will, of course, need to happen on a case-by-case basis.
My top 10 steps to ensure companies are better prepared for, and help prevent, ransomware attacks are:
- Understand risk profiles—Organisations should have their risk assessed to accurately prepare for potential attacks. To do this, cybersecurity teams must take inventory of responsibilities, products and services, and the technical requirements affiliated with each. By defining these risk areas, cyberteams can better assess areas that require the most attention when allocating cybersecurity resources.
- Realise data responsibilities—Each employee on a cybersecurity team should realise the types of data that they are responsible for storing, transmitting and protecting.
- Test for incoming phishing attacks—Most attacks start with a phishing campaign, and they continue to be effective. Try testing filters by sending yourself de-weaponised phishing emails identified by others from an external test email account. How often will they make it through? Test it. It is possible that email filters need to be strengthened.
- Assess all cybersecurity roles on a regular, event-controlled basis—Regularly assess and audit cybersecurity controls to ensure that they are applied and maintained appropriately. A truly mature organisation will test these controls on both a time-based schedule and in response to incidents.
- Evaluate patches on a timely basis—Ensure that patches are applied in an organised and methodical fashion. For vulnerable legacy systems that cannot be patched or updated, isolate them in the network and ensure that those systems do not have access to the Internet.
- Perform regular policy reviews—Make sure that all pertinent cybersecurity policies not only exist, but are also regularly evaluated and updated based on the ever-changing cybersecurity landscape. Specifically, update these policies based on both time-based schedules and event-based instances.
- Leverage threat intelligence appropriately—Reading and disseminating threat intelligence throughout a cybersecurity team can be overwhelming. Hacks and cyberattacks occur on a 24/7 basis, with different branches of similar attacks emerging overnight in many instances. Understanding which type of intelligence applies to your organisation and parsing it out correctly increases understanding of what threats may pose the greatest danger.
- Protect end-user devices—We often forget to ensure 100% protection of end-user devices—not only for devices within the network, but for all devices used by remote users to access systems. Exclusion lists should be minimal.
- Communicate clearly with executive leadership and employees—To gain executive support, ensure that reporting and communication to the leadership level is clear and accurate. Once leadership understands the threat, the risk and its potential impacts, cybersecurity teams are more likely to receive the funding and support required to protect the organisation.
- Comprehend organisational cybermaturity—All points listed here are a part of comprehending an organisation’s cybermaturity, or its developed defensive readiness against potential cyberattacks and exploitations. Tools like the CMMI Cybermaturity Platform can help organisations understand and improve their cybermaturity.
We are living in a world where company leaders should assume they will find themselves being held to ransom by cyber-criminals. Implementing the steps and having the right discussions with the right people in an organisation to protect the company ahead of this very real possibility is the best way to avoid decision making about whether to pay a ransom.